Switch and Router Requirements for an Active/Active FireCluster
When you configure FireCluster in an active/active configuration, the cluster uses multicast MAC addresses for all interfaces that send network traffic. Before you enable FireCluster, make sure your network switches, routers, and other devices are configured to route network traffic with multicast MAC addresses.
A layer 2 broadcast domain is a logical part of a computer network in which all network nodes can communicate with each other without the use of a layer 3 routing device, such as a router or managed switch.
An active/active FireCluster uses a single multicast MAC address. Most network routers and managed switches ignore traffic from multicast MAC addresses by default. Before you enable an active/active FireCluster, make sure that all the network switches and routers in the layer 2 broadcast domain meet the requirements.
Requirements for Switches and Routers
All switches and routers in an active/active FireCluster broadcast domain must meet these requirements.
- All switches and routers in the broadcast domain must not block ARP requests if the response contains a multicast MAC address.
- This is the default behavior for most layer 2 switches.
- For routers and layer 3 switches, the default behavior is to follow RFC 1812, which says that the router must not believe any ARP reply that claims that the Link Layer address of another host or router is a broadcast or multicast address. If possible, disable this behavior. If you are unable to block RFC 1812 support, you might need to configure static MAC and static ARP entries on your routing device.
Some Layer 3 switches do not allow you to configure static MAC addresses on multiple ports. If possible we recommend that you use a Layer 2 switch, which requires less configuration and is easier to set up.
- All switches in the broadcast domain must be configured to forward traffic to all ports when the destination MAC address is the multicast MAC address of the FireCluster.
- For unmanaged layer 2 switches, this should be the default behavior.
- For managed switches, you could need to add static MAC and static ARP entries for the FireCluster.
- You might need to add the IP address and MAC address of each router or layer 3 switch in the broadcast domain as a static ARP entry in the FireCluster configuration.
One multicast MAC address is shared between the pair. The MAC address starts with 01:00:5E. You can find the multicast MAC addresses for a cluster in the Firebox System Manager Status Report tab, or in the FireCluster configuration dialog box in Policy Manager.